CVE-2023-46818 PoC — ISPConfig 安全漏洞

Source

Associated Vulnerability

Description

CVE-2023-46818 - ISPConfig PHP Code Injection PoC Exploit (Bash)

Readme

# CVE-2023-46818 
ISPConfig - PHP Code Injection PoC Exploit (Bash)

<br><br> 
<div align="center">
  <img width="250" src="https://www.ispconfig.org/wp-content/themes/ispconfig/images/ispconfig_logo.png" alt="langfile-injection"> <br> <br>
  <p>CVE-2023-46818 <br>
  <b>Authenticated PHP Code Injection in ISPConfig</b> <br>
  for more details: <b><a href="https://karmainsecurity.com/KIS-2023-13"> advisory </a></b>
  </p>
</div>

![CVE-2023-46818 PoC](https://www.zyenra.com/assets/img/CVE-2023-46818-poc.png)


### Introduction 

`ISPConfig` versions <= 3.2.11 are vulnerable to an authenticated PHP code injection vulnerability via the `records[]` parameter in the `/admin/language_edit.php` endpoint. A malicious authenticated admin user can exploit this to inject arbitrary PHP code, leading to remote code execution. The vulnerability occurs due to unsanitized handling of language file input used in dynamically generated PHP code.

<br>

### Usage 

```bash
git clone https://github.com/rvizx/CVE-2023-46818
cd CVE-2023-46818
chmod +x exploit.sh
./exploit.sh <target> <username> <password>
```

<br>
Note: This exploit requires valid ISPConfig admin credentials and will deploy a command web shell accessible at `/admin/sh.php`. It provides a terminal-like interface for continuous command execution on the target system.
<br><br><br>


### Credits

Researcher: Egidio Romano (aka EgiX) | [n0b0d13s[at]gmail[dot]com] <br>
Original Advisory: https://karmainsecurity.com/KIS-2023-13 <br>

File Snapshot

 [4.0K]  /data/pocs/72e9eedf7c37b2f446387d338e270882793f93ab
├── [2.6K]  exploit.sh
└── [1.5K]  README.md

0 directories, 2 files

Remarks